Date: |
04/04/2005 |
Subject: |
Comment from ISO/IEC WG3, CAN&ISSEA |
CC Part #1 Reference: |
CC Part 1, Annex C, Bibliography |
CC Part #2 Reference: |
|
CC Part #3 Reference: |
|
CEM Reference: |
|
Issue:
Determine the applicability of provided ISO standards for reference within the CC/CEM.
Specific Changes
Add the following reference to Part 1 Annex C Bibliography:
PPRP ISO/IEC FDIS 15292:2001 Information technology - Security techniques - Protection Profile registration procedures.
Rationale
The
following documents were received from ISO at the
2003 October CCIMB meeting, and have been reviewed for consideration to
be
referenced:
Closely
related standard. To be included in the references.
This
CDIF family of standards is primarily designed to be used as a
description of a
mechanism for transferring information between modelling tools. While
the CC
does not mandate these mechanisms to be applied, this standard will
assist the
vendors and users of modelling tools and metadata repositories in
developing
mechanisms for interchanging information.
This
standard defines a particular framework to cover the life cycle of
software
from conceptualization of ideas through retirement and consists of
processes
for acquiring and supplying software products and services. In
addition, the
framework provides for controlling and improving these processes.
While
these software life cycle processes can be used while applying the CC,
the CC
does not mandate such a framework to be applied.
This standard provides a
common process framework covering the life cycle of man-made systems.
This life
cycle spans the conception of ideas through to the retirement of a
system. It
provides the processes for acquiring and supplying systems. In
addition, this
framework provides for the assessment and improvement of the life cycle
processes.
While
these system life cycle processes can be used while applying the CC,
the CC
does not mandate such a framework to be applied.
This report addresses the adoption
practices appropriate for a wide range of computing organizations.
Also, this
report neither dictates nor advocates particular development standards,
software processes, design methods, methodologies, techniques,
programming
languages, or life-cycle paradigms.
While the CC does not
mandate specific CASE tools, it does not preclude the adoption of the
development tools in accordance with the guidelines defined in this
report.
This standard defines both
a sequence of processes and a structured set of CASE tool
characteristics for
use in the technical evaluation and the ultimate selection of a CASE
tool.
While the CC does not
mandate specific CASE tools, it does not preclude the selection of the
development tools in accordance with the processes defined in the
standard.
However, the tool characteristics applied in the selection method does
not
consider aspects that may be required by the CC (access control, as an
example).
The SSE-CMM® is a
process reference model. It is focussed upon the requirements for
implementing
security in a system or series of related systems that are the ITS
domain.
Within the ITS domain the SSE-CMM® Model is focussed on the processes
used
to achieve ITS, most specifically on the maturity of those processes.
This standard is one of the
various approaches to organizational security best practices
specification and
assessment. This area is currently under active research and
development in the
CC area, with no results yet available to determine the applicability
of this
particular reference.
The
objective of this Technical Report is to present a variety of assurance
methods, and to guide the IT Security Professional in the selection of
an
appropriate assurance method (or combination of methods) to achieve
confidence
that a given Deliverable satisfies its stated IT security assurance
requirements. This report examines assurance methods and approaches
proposed by
various types of organisations whether they are approved or de-facto
standards.
This
report references and compares the assurance methods as applied in the
CC with
a variety of other assurance methods. However, the whole Technical
Report has
not been finally published as of November 2004. It is recommended for
reference
once published.
The purpose of ISO/IEC
13335 is to provide guidance, not solutions, on management aspects of
information and communications technology (ICT) security.
ISO/IEC 13335 contains
guidance on the management of ICT security. Part 1 of ISO/IEC IS 13335
presents
the concepts and models fundamental to a basic understanding of ICT
security,
and addresses the general management issues that are essential to the
successful planning, implementation and operation of ICT security. The
other
parts provide operational guidance on ICT security. Together these
parts can be
used to help identify and manage all aspects of ICT security.
This standard is one of the
various approaches to organizational security management. This area is
currently under active research and development in the CC area, with no
results
yet available to determine the applicability of this particular
reference.